SEPolicy for boringssl_self_test. This CL adds hand-written SELinux rules to: - define the boringssl_self_test security domain - label the corresponding files at type boringssl_self_test_marker and boringssl_self_test_exec. - define an automatic transition from init to boringssl_self_test domains, plus appropriate access permissions. Bug: 137267623 Test: When run together with the other changes from draft CL topic http://aosp/q/topic:bug137267623_bsslselftest, check that: - both /dev/boringssl/selftest/* marker files are present after the device boots. - Test: after the boringssl_self_test{32,64} binaries have run, no further SELinux denials occur for processes trying to write the marker file. Change-Id: I77de0bccdd8c1e22c354d8ea146e363f4af7e36f

commit: 353ad0fd47aef17ff9c99d436f9fddc01eb6152b [log] [tgz]
author: Tobias Thierer <tobiast@google.com> Wed Aug 28 22:08:50 2019 +0100
committer: Tobias Thierer <tobiast@google.com> Thu Sep 05 02:40:57 2019 +0100
tree: 7b76e2796d018de5c77a3194f6d2a536e00ba383
parent: f6bd00af8b578d72dcfa07d4d66596eb9e3cb995 [diff] [blame]
diff --git a/apex/com.android.conscrypt-file_contexts b/apex/com.android.conscrypt-file_contexts
index ffc3109..abf0085 100644
--- a/apex/com.android.conscrypt-file_contexts
+++ b/apex/com.android.conscrypt-file_contexts

@@ -1,5 +1,6 @@
 #############################
 # System files
 #
-(/.*)?                   u:object_r:system_file:s0
-/lib(64)?(/.*)?          u:object_r:system_lib_file:s0
+(/.*)?                          u:object_r:system_file:s0
+/lib(64)?(/.*)?                 u:object_r:system_lib_file:s0
+/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
commit	353ad0fd47aef17ff9c99d436f9fddc01eb6152b	[log] [tgz]
author	Tobias Thierer <tobiast@google.com>	Wed Aug 28 22:08:50 2019 +0100
committer	Tobias Thierer <tobiast@google.com>	Thu Sep 05 02:40:57 2019 +0100
tree	7b76e2796d018de5c77a3194f6d2a536e00ba383
parent	f6bd00af8b578d72dcfa07d4d66596eb9e3cb995 [diff] [blame]